One third of global business decision makers report that their organisation would try to cut costs by considering paying a ransom demand from a hacker, rather than invest in information security. In the UK, this figure drops to a fifth (21%) of respondents. 

The findings from the 2018 Risk:Value Report, commissioned by NTT Security, the specialised security company of NTT Group, show that another 30 per cent in the UK are not sure if they would pay or not, suggesting that only around half are prepared to invest in security to proactively protect the business.

Examining business attitudes to risk and the value of information security, NTT’s report surveys C-level executives and other decision makers from non-IT functions in 12 countries across Europe, the US and APAC and from multiple industry sectors.

Confidence levels unrealistic

Levels of confidence about being vulnerable to attack also seem unrealistic, according to the report. Forty-one per cent of respondents in the UK claim that their organisation has not been affected by a data breach, compared to 47 per cent globally. More realistically, of those in the UK, 10 per cent expect to suffer a breach, but nearly a third (31 per cent) do not expect to suffer a breach at all. More worrying is the 22 per cent of UK respondents who are not sure if they have suffered a breach or not.

Given that just 4 per cent of respondents in the UK see poor information security as the single greatest risk to the business, this is unsurprising. Notably, 14 per cent regard Brexit as the single greatest business risk, although competitors taking market share (24 per cent) and budget cuts (18 per cent) top the table.

Business impact 

When considering the impact of a breach, UK respondents are most concerned about what a data breach will do to their image, with almost three-quarters (73 per cent) concerned about loss of customer confidence and damage to reputation (69 per cent). The highest figures for any country.

Whose responsibility is security anyway?

According to Risk:Value, there is no clear consensus on who is responsible for day to day security, with 19 per cent of UK respondents saying the CIO is responsible, compared to 21 per cent for the CEO, 18 per cent for the CISO and 17 per cent for the IT director. Global figures are very similar.

How prepared are organisations?

An impressive 77 per cent in the UK (compared to 57 per cent globally) claim to have a policy in place, while 10 per cent (26 per cent globally) are working on one. While 85 per cent of UK respondents with a policy in place say this is actively communicated internally, less than a third (30 per cent) admit that employees are fully aware of it.

In terms of incident response planning, the UK is the most well prepared with 63 per cent of respondents saying their organisation has already implemented a response plan, well above the global figure of 49 per cent, while 18 per cent are in the process. Just 1 per cent in the UK say they have no plans to implement an incident response plan.

Kai Grunwitz, Senior VP EMEA, NTT Security said, “the UK is leading the pack when it comes to planning for a security breach or for non-compliance of information/data security regulations. Given that the GDPR has just come into force, this is encouraging. However, while the majority claim their information security and response plans are well communicated internally, it seems it’s only a minority who are ‘fully aware’ of them. This continues to be an area that businesses are failing on time and time again and needs to be addressed as a priority.”

For further information on NTT Security’s 2018 Risk:Value report and to download a copy, visit: https://www.nttsecurity.com/en-uk/risk-value-2018